Anatomy of XSS

XSS or Cross-Site Scripting can be described as commonly found website vulnerably. The types of vulnerabilities can be broken down into three sub-types:

Non-persistent / Reflected

Persistent / Stored

DOM-Based

Here I will be explaining non-persistent and persistent attacks as they are more commonly found and easier to understand.

Persistence

Simply put the difference between a persistent attack and non, is the attacks’ ability to become stored on the vulnerable server. A persistent XSS attack has the ability to serve potentially malicious code to anyone visiting that page, the attack is said to be ‘stored’.

Example

Here’s a big hint when looking for possible reflected (non-persistent) XSS attack, it’s described as reflected because whatever is searched for is reflected back to the user, we can use this to our advantage when performing an XSS attack.

<p>You searched <b>someDomainName.com</b> for <i><b>hello</b>

The source code clearly shows that whatever we type in will be placed within the <b> tags.

Quick Test

With this knowledge in mind what would happen if we searched for:

<script>alert('sup')</script>

Anything?

If the website is completely vulnerable we would get an alert box with sup printed in the box.

This is not the case for this website in particular (which will remain unnamed), it seems as though the search function will strip-out any symbols it deems unsafe.

What Next?

To ensure that we’re not being blocked by any client-side protection we can do a few things: edit the website as it arrives, disable JavaScript or easier still, just submit all queries through the address bar.

http://search.someDomainName.com/search.jsp?query=hello

By sticking

"_?query="

onto the end of the search we are able to search straight from the address bar.

N.b. it will not always be

"_query_"

check the source code to find out.

Further Digging

Finding vulnerabilities is more secure systems will take time and will require more digging around to find a feature that could be vulnerable.

What became more interesting at this point is that despite dropping symbols in the search another feature on the same page gave us exactly what we want!